A maker of fill and finish processing lines for the pharmaceutical and cosmetics industries, groninger USA, LLC (www.groningerusa.com) has become a big believer in remote diagnostics and troubleshooting over the Internet. The firm has worked with Phoenix Contact (www.phoenixcontact.com/usa) to develop and implement a remote service function option for its machines. Called Remote Video Service, this function provides a customer-initiated secure virtual private network (VPN) connection between a machine at the customer’s facility and groninger’s secure internal service network. Groninger relies on the FL mGuard VPN NAT router from Phoenix Contact on both the customer and groninger service network sides to initiate and maintain a secure encrypted VPN connection. Remote Video Service is offered as an option when purchasing a new machine, or an upgrade for existing machines with Ethernet capability.

The way it works is that if a customer has a technical problem with a machine, he or she can call the regional groninger service office in Charlotte. The groninger engineer on duty will ask the customer to initiate a VPN connection by operating a key switch. A VPN tunnel then connects the customer to the regional groninger service office through the Internet.

Related Sponsored Content

At the groninger service office, the VPN tunnel connects with the groninger internal service network. This is a secure network that connects all groninger service offices. This secure configuration allows the engineer on duty in Charlotte as well as groninger specialists in Germany (where groninger is headquartered) to access the VPN tunnel to the customer.

The machine network—which can include PLCs, HMI, servo controllers, and other Ethernet devices—is at the customer’s end of the VPN tunnel. The service engineers and specialists at groninger can access these devices to see live program status, make changes if necessary, back up and/or restore programs, create new recipes, and provide machine or software updates or revisions.

The remote service function also provides the capability for the customer to connect a remote-control camera to the machine network. In addition to actually seeing live PLC and I/O status, groninger engineers can see the machine from an operator’s perspective by panning, tilting, and zooming the remote controllable camera to the problem area. After the problem is resolved or the machine PLC or program is updated, the customer can switch the VPN key to disconnect the machine network from the groninger service network.

Typically, customers control the VPN key switch and initiate the connection to the groninger service network. However, this isn’t the only scenario. In some cases, customers may choose an always-on VPN connection. Machine access for ongoing remote preventive maintenance is a good reason to have an always-on connection. To enable the always-on VPN connection, the customer would leave the key switch in the “on” position.

ADVERTISEMENT

The secure groninger service network is set up to handle more than one VPN tunnel from its customers, and the IP addresses are managed to make this possible. Firewall settings prevent customers from accessing the groninger service network outside of service engineer control. This is how groninger prevents customers from accessing other customers’ VPN tunnels that could be open at the same time.

Every groninger machine has an analog phone modem. However, while Internet speed continues to increase, using analog modems and phone lines is becoming increasingly problematic. In many facilities, analog phone lines are few and far between. If one can actually be found, it may not be in convenient proximity to the machine. The baud rate of an analog phone line is also very slow, especially as compared to a modern high-speed broadband Internet connection.

Making Remote Video Service capabilities possible

Designing a system that is easy to setup and maintain in many different IT environments at various customer sites was one of groninger’s primary goals. The firm wanted to develop a system that would make it possible to provide faster help with lower travel costs, resulting in less downtime for customers. Another goal was to free up groninger service engineers so they could help more customers in a shorter period of time.

Going into the development of the remote service function, a requirement was to allow a connection to route through two Network Address Translation (NAT) routers. One of the NAT routers would be at a customer’s site, and the other would be at groninger. To satisfy this requirement, groninger selected the FL mGuard VPN NAT router from Phoenix Contact.

The router provides the protection of a stateful firewall (more on this in a moment), network routing, NAT address translation, and support for IT networking protocols such as DHCP, DNS, QoS, and VLANs. The router’s VPN feature supports all the necessary certificates, authentications, and encryptions.

A router moves packets of data through a series of networks from source to destination. Routing is often confused with bridges or switches, which perform packet forwarding, but only on a local network by using MAC addresses. Routers enable messages to travel via the Internet, and they can connect multiple networks together.

Why is a “stateful” firewall important? Because it keeps track of the state of network connections such as TCP streams or UDP communications as this information travels through the firewall. The router algorithm can distinguish legitimate packets for different types of connections.

For example, a TCP packet that has the FIN flag set will not be accepted if a TCP packet with the SYN set hasn’t been seen in that stream. Only packets matching a known connection state will be allowed by the firewall; others will be dropped or rejected.

Setting explicit rules for inbound communication is time consuming when using a non-stateful firewall or a simple access-control list. Sometimes, this rule-setting step is skipped or not performed completely, allowing unwanted traffic to enter the network and rendering the firewall virtually useless.

With a stateful firewall, the intelligent-connection tracking algorithm works on its own and allows users to only define rules for permitted unsolicited traffic such as a PLC that initiates a connection.

The simplicity requirement
Easy remote-camera setup was another major groninger requirement. In fact, the groninger team wanted it to be as easy as plugging in one connector. The idea was to make it so that the customer wouldn’t have to make multiple connections such as power, data, and network. To meet this requirement, groninger uses Phoenix Contact’s Power over Ethernet module to supply the remote camera with power and data in one cable.

Wireless is another setup option for groninger’s Remote Video Service. With this option, there’s one mGuard, one key switch, and one wireless access point at each production floor. Each Groninger machine using the wireless option has an antenna installed that allows it to connect to the wireless access point. “Wireless is especially effective for many of our customers in the cosmetics industry who must reconfigure their production lines regularly to accommodate changes in packaging size, shape, and types,” says Stefan Winzinger, electrical and programming engineer at groninger.

Phoenix Contact was closely involved in the Remote Video Service development process. For example, the NAT routing required an mGuard firmware version, which Phoenix Contact provided in just a few days.

Phoenix Contact also had a superior solution for initiating the VPN tunnel, says Winzinger. This solution was to employ an integrated input to the mGuard to connect the key switch for initiating the VPN tunnel.

“We formally introduced Remote Video Service at PackExpo 2010 in Chicago, and it was well-received by attendees, and subsequently by our customers,” says Winzinger. “Because of Remote Video Service, our customers now receive immediate troubleshooting assistance and ongoing production support.”